GHSA-X68M-C7JF-2572 Kirby CMS's system API endpoint leaks installed version and license data to authenticated users

TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. ---- Introduction Missing authorization allows authenticated users to perform actions they are not intended to have access to. The effects of missing authorization can...

CVE-2026-40908 WWBN AVideo has an Unauthenticated Information Disclosure via git.json.php that Exposes Developer Emails and Deployed Version

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the file git.json.php at the web root executes git log -1 and returns the full output as JSON to any unauthenticated user. This exposes the exact deployed commit hash enabling version fingerprinting against known CVEs,...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the Control UI bootstrap JSON process. An attacker can obtain sensitive information, such as version and assistant agent ID, by accessing the exposed payload...

VulnCheck KEV: CVE-2026-4020

The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permissioncallback that unconditionally returns true, allowing any...

PT-2026-29181

Name of the Vulnerable Software and Affected Versions Gravity SMTP versions prior to 2.1.5 Description The Gravity SMTP plugin for WordPress has a flaw that allows unauthorized access to sensitive information. A REST API endpoint located at '/wp-json/gravitysmtp/v1/tests/mock-data' does not requi...

PT-2025-44581

Name of the Vulnerable Software and Affected Versions FutureNet MA and IP-K series versions affected versions not specified Description FutureNet MA and IP-K series devices from Century Systems Co., Ltd. expose firmware version and garbage collection information on an internal web page. This...

EUVD-2025-36691

Incorrect access control on Dataphone A920 v2025.07.161103 exposes a service on port 8888 by default on the local network without authentication. This allows an attacker to interact with the device via a TCP socket without credentials. Additionally, sending an HTTP request to the service on port...

CVE-2025-61234

Incorrect access control on Dataphone A920 v2025.07.161103 exposes a service on port 8888 by default on the local network without authentication. This allows an attacker to interact with the device via a TCP socket without credentials. Additionally, sending an HTTP request to the service on port...

EUVD-2025-31153

Malicious code in bioql PyPI...

CVE-2025-29157

CVE-2025-29157 concerns the Swagger Petstore sample (version 1.0.7). The issue occurs when an attacker accesses a non-existent endpoint like /cart, causing the server to return a 404 error page that reveals sensitive information, including the servlet name (default) and server version. The descri...

CVE-2021-22869

An improper access control vulnerability in GitHub Enterprise Server allowed a workflow job to execute in a self-hosted runner group it should not have had access to. This affects customers using self-hosted runner groups for access control. A repository with access to one enterprise runner group...